OT: change NT login procedure

Toomas Soome tsoome at ut.ee
Wed Jan 31 15:41:02 GMT 2001

On Wed, 31 Jan 2001, Andrew Bartlett wrote:

> > windows-> unix is a problem, because we do not get cleartext old
> > password from windows client (am I wrong?).
> Why do we need the plaintext?  We run as root, we can do what we want.

yes, with plain /etc/passwd. but not with kerberos, NIS+, ... with some
cases you can drop old authentication token, with other cases, it's needed
to reencrypt some other keys or data.

> > task is to rewrite current samba interface for password change to use
> > standard pam interface (with old password from internal storage and new
> > password from client) and it's done. nice and clean.
> Using pam is the way to do it, I have been considering what would be
> required to get samba to use samba rather that 'passwd'.  I don't think
> pam actualy needs the old password.  As far as I can tell, all you would
> need is some twidiling of real and effective uids during the process to
> make pam think you are root (no old password) but also a normal user
> (pam_cracklib and friends).

yes, this is exactly the thing I'm talking about. the problem is - you
need old password to use pam interface. and since it is not available as
plaintext, samba is useing /bin/passwd as root just now.

the main problem with this is, that it's not good idea to have cleartext
passwords stored in system. this is the reason, why unix is useing (one
way) crypt(). You can encrypt cleartext passwords, but as encryption key
must be available for samba daemon, this is not the same level protection
as one-way hash.

Once a word has been allowed to escape, it cannot be recalled.
		-- Quintus Horatius Flaccus (Horace)

More information about the samba-technical mailing list